5100Comp : Project Proposal : Assessment Answer

Question: 

Answer: 

Introduction:

In this technological era, one of the major worries is Security. These widespread safety concerns majorly target web applications as well as various Internet-based services linked to institutions, organizations, and firms. To guarantee security, the conventional value offered to web users in addition to reliable mediums ought to be incorporated in web applications. This study concentrates on the particular issue of cross-site scripting intrusion prevention that targets web applications. The type of intrusions, as well as techniques for countering them, will also be studied. Discussion on every approach touching on the pros and cons as well as alternative solutions will be covered Sonewar and Mhetre, (2015).

This paper’s hypothesis bases its findings on the authorization policies manifestation using XACML and X.509 certificates. Web developers for a particular web application are at will to indicate specific security provisions from the server side. The web creators can also demand the rightful administration of the provisions on those customers meeting the set in the event of employing the solution herein .by relaying in safe redirect calls and SSL, this approach is incorporated seamlessly in the universal web applications Doupé et al (2013).

Project Aims and Objectives

A significant shift in the policies and procedures regarding strategies used in securing web applications has been experienced in the recent few years. Intrusions by hackers on official Twitter accounts of prominent institutions as Fox has raised more questions than answers concerning the security mechanisms put in place by web application developers.

Therefore, this paper’s primary aim is to find out the preventive measures against cross-site scripting intrusions. Getting the defensive mechanisms to the raising security menace on web applications will be so essential in safeguarding end users’ data and information.  

Research Questions

How to prevent web application is the prime question that this study will seek to find solutions to. The types of web scripting intrusions, as well as their manifestation, will also need revelations.  Other questions, however, exist including the characteristic mechanisms of web applications, the reliability of the security measures in place as well as the how to improve the security standards of web applications.

Research Objectives

The primary motivation behind carrying out this study is clear and aims at achieving the goal of preventing an intrusion on web applications.  Such intrusions if not controlled may lead to endangering personal and even civil data and information. Chief objectives of this research include observation of current scenario on the web application security, identification of the strengths as well as vulnerabilities of web applications, finding out end users’ pleas and expectations and conversely making recommendations based on the assessment of web application security.

Overview and Motivation

Various application software companies are increasingly using the web prototype in their design approaches .web development models enable designing prevalent applications that can possibly be utilized by millions of clients ranging from the simplest to the complicated web users. In addition, the mere fact that emergent technologies exist is an opportunity for web features enhancement although the safety mechanisms to be included in such web applications in increasingly proofing to be difficult.

Web developers need to provide functional mechanisms in addition to the expected value that their end users get to be secured while using the resources and data linked to the web applications deployed for use. The current techniques used in securing conventional applications fall short sometimes during the directing of web prototypes hence leaving the clients to take care of fundamental components of the services. Tasking the end users with the responsibility for safeguarding some web application services may lead to compromising the application’s safety provisions and hence should be avoided at all costs.

This study concentrates on the particular example of Cross-Site Scripting assaults (XSS) against the web applications security. XSS assault spreads after an introduction of a malicious code to the web application with the intention of jeopardizing the created trust connection between a client and the site being visited by the end user on the web application.  On successful exploitation of the web application’s vulnerability, the code injector is free to bypass the application’s controls as well as its integrity providing safety to the end user Gupta and Gupta, (2017).

Background and Related Literature Review

This study focuses on the provision of fussy examination of elapsed web application security. An analysis of the literature on web application outlines the exploitative nature of the web applications that web developers still critically research on Luttgen , Pepe and Mandia, (2016).

Various XSS intrusions and their susceptible targets exist. Two types of the XSS intrusions on today’s web applications will be described in depth in this report. Discussions on how to prevent those including scripts analysis, web browsers runtime enforcement, and web content filtering.

XSS (Cross-Site Scripting) Intrusions.

Cross-Site Scripting intrusions refer to the performed against web applications with the intention of taking control of and end users’ browser by an attacker for purposes of malicious script execution.  The malicious code, which is usually a Javascript4 or Html in nature and is introduced within the web application’s site trust.  Following a triumphant execution of the ingrained code, free active or passive access by the attacker is gained to all the private browser resources including individual session IDs and even cookies. There exist two types of cross-site scripting intrusions, stored or persistent intrusions and the non-persistent or reflected intrusions Hox et al (2017) .

Persistent XSS Intrusions

After an attacker’s introduction of malicious codes chiefly the HTML and JavaScript into the web application, it is constantly kept data vault of the application. Consequently, when the end user loads the destructive code into the browsers and remembering that the code is as a trusted source of the website of the application, its allowed to access the sensitive data in the repository of cookies. It is in this manner that the malicious code is able to hijack the client’s sensitive information, which is naturally stored in the web application’s repository. All this is carried out against the fundamental security policy of search engines allowing access to stored data only to the rightful users who stored the data Panja et al , (2017).

Web developers for a particular web application are at will to indicate specific security provisions from the server side. The web creators can also demand the rightful administration of the provisions on those customers meeting the set in the event of employing the solution herein .by relaying in safe redirect calls and SSL, this approach is incorporated seamlessly in the universal web applications. Persistent XSS intrusions are traditionally associated to message boards web applications with weak input validation mechanisms. An instance of persistent was the intrusion on Hotmail, which was then discovered and thwarted.

Non-Persistent XSS Intrusions

It is also called a reflected XSS intrusion. Here, injected code exploits a web application’s weakness by taking the opportunity of information provided by the end user for purposes of creating an outgoing page for the user in question. The third party directly through a third party technique like an advertisement that is so rampant nowadays can see the introduced code. The attacker can also employ another tactic of tricking the end user to click on a link containing the untrusted code through spoofed email usage.

A successful click on the malicious sends the initial code to the end user but through the trusted context of the website. In a similar way, the browser maintaining that trust with the malicious code can send related information like session IDs and cookies which comprises the end user as a result.

Combined with mechanisms like social engineering and phishing, non-persistent XSS intrusions are the most experienced and disturbing kind of XSS intrusions performed on today’s web applications. Non-persistent XSS intrusions are commonly used for fraudulent activities by most skilled attackers.

Attackers’ extremes with JavaScript?

The aftermath of an exploited JavaScript on web application may not instantly stand out primary because all browsers run JavaScript in a very tightly regulated setting and that JavaScript has restricted admittance to the client’s operating system and the client’s files

Nonetheless, the consideration that JavaScript put up admittance various exploitative, it is straightforward to demonstrate whence inventive felons put up to get with JavaScript.

Ill-disposed JavaScript has admittance to all the same objects the rest of the web page has, together with admittance to cookies. Cookies are employed to store session tokens if an attacker put up to secure a client’s session cookie, they put up imitate that client.

JavaScript can interpret and perform random alterations to the browser’s DOM, JavaScript is at will to use XML Http Request to send HTTP requests with arbitrary content to arbitrary destinations and finally, JavaScript in modern browsers is able to influenceHTML5 APIs together with accessing a client’s webcam geo location, microphone and even the explicit files from the client’s file system. XSS in combination with some smart social engineering put up bring an intruder a long way although  most of the above APIs need client entrance.

As described, in combination with social engineering, permit felons to pull off advanced assaults together with keylogging, cookie fraud, identity fraud, and phishing. Severely, XSS weaknesses present the ideal basis for felons to escalate assaults to more serious ones.

Prevention Strategies

Even with extensive and notable evolution, concerning web applications after initial assaults on them, such intrusions never stopped there. XSS intrusion mitigation needs more than cryptography techniques and more conventional way via the use of firewalls. In addition, use of secure coding practices or secure programming models has all been outclassed Wasserman and Su, (2014).

With the inadequacies that come with conventional methods of web application security, improved strategies need be developed for XSS intrusions detection and prevention.  XSS intrusions are grouped into two approaches, those that filter and analyze exchanged information and through web browsers’ runtime coercion Snehi and Dhir, (2015).

Filtering and examination of the shared Information

For purposes of dealing with the persistent and non-persistent cross-site scripting intrusions, most modern browsers perform filtering on rich content between the website and browsers. The filtration technique is conducted through the definition of allowable special tags and characters on which rejection is bound to befall any content not enlisted Kirda et al (2014).

An alternative to these XSS intrusion can be prevented through encoding mechanism in which those characters are made to be less harmful. Nevertheless, these mechanisms can easily by bypass by skilled attackers or hackers especially those with intention of carrying out online fraud.

Another lesser mechanism is using policy-based techniques. Here a proxy server is positioned in the applications site to filter all incoming and outgoing data streams. This proxy filtering mechanism entails enforcing some set policy rules set by the developers of the application Kieyzun et al (2009).

Web Browsers Runtime Enforcement

This is an alternative to the aforementioned issue on XSS intrusion prevention regarding percolation of web content on the client and or server grounded proxies. Subjecting the Java-Scripts interpreter to an auditing system is the concept concerning runtime enforcement.  Mozilla browser as an intrusion detection system uncovering any violations of it and taking appropriate defensive measure against it mostly uses JavaScript Bisht and Venkatakrishnan, (2013).

The concept in runtime is a revelation of anomalies like a web application’s site cookies being transferred to suspicious parties. The interpreters like Flash and Java need be integrated to all browsers for greatest achievements to be realized Rao et al (2016).

A policy-based administration in which all activities are ingrained in documents where server-browser exchanges occur and the browser interpreter can either decide to let it pass or be denied permission.

Briefing on current prevention techniques

Our reviewed proposals need more development to be able to deal with the web application issues.It is very essential to put conformity between browser and server grounded solutions for a successful take on the XSS intrusion. This paper takes a different stand although web browser enforcement offers better security options be it on client or server inclined proxy solutions Shulman, Karlebach (2015).

Research Design

Research design, which encompasses a structured scheme that controls a research proposal, is a methodical plan, which directs the proposed research as stated by Lewis (2015).  The research design is essentially a draft or layout of an entire research. This paper’s scheme includes data collection followed by its analysis, interpretation then finally the findings and wrapping up.

Project Methodology and Justification

In order to attain the stated research objectives, secondary sources including online journals published articles information security featured articles, various cybersecurity textbooks, articles from case studies on web application securities and other Google search input.

The primary approach to be employed in this study will be methodological exploration entailing both quantitative and qualitative methods of evaluation. In addition, some primary data sources including using questionnaires and setting up personal interviews with a number of software engineering security experts in the United Kingdom will be used Takhar and Ghorbani, (2017).  For qualitative analysis purposes, feedback from the 10-15 queries as well as the beneficial information from the interviews will be used.

Concerning, the research design, a retrospective study involving past web scripting intrusions will be analyzed for their preferred format of execution. Besides revisiting past occurrences, for a comprehensive research regarding web scripting intrusions, both probability and non-probability methods of sampling will be employed in this study McNely, Spinuzzi and Teston, (2015).

Data Analysis:

Quantitative and qualitative interpretations will be conducted after understanding the significance of having robust security measures in place. Data matrix analysis will be a great proposal for the quantitative data. Discerning web application threats on the affected applications as well as the clients will enable carrying out a correlation using graphs and tables.  Qualitative data analysis will require the employment of   ‘data display and analysis' method. Data display and analysis contains three subcategories of data presentation in pictorial or graphical arrangement then data reduction, which refers to doing away with unnecessary data and the third sub-process of data verification and conclusion.  

 Requirements of the Research

With secondary sources, being the major data collection methods for the research, internet means, and the library will form the bigger share in the collection of data soft and published copies for use in the literature review. For personnel requirements,  interviews with end users, as well as web developers, will be covered.  Depending on such sources, database companies, research papers, encyclopedias, periodicals and published researches. Laptops with network connectivity on which security tests performed on browsers like Chrome, Firefox, and many others will be needed for the research. Powerful safety detection tools from CCNA will be fundamental requirements too.

Research contribution

Web scripting intrusion study is an extension case on web application security researched on before. Nevertheless, this paper concentrates on the intrusions, their types as well as the methods of thwarting the discussed malicious intrusion. Various researches have been carried out concerning the intrusions but very few have been exhaustive in their findings. This means another study was essential, as the web cross-site scripting assaults are currently a hot topic in software engineering and related fields. This study seeks to be the connecting factor in the missing pieces of web security. Carrying out a broader and extensive research will certainly bring the difference.

Plan of Works

Any successful project needs to be scheduled effectively for purposes of correct alignment of responsibilities as well as the timeline restriction enforcement. Concerning the web scripting intrusions research, its schedule will be:

July-August (2018)

 Topic selection

 Review of the literature

Supervisor’s approval on the topic

August-September (2018)

Data collection or gathering

The initial draft of the proposal

 Break

September-October (2018)

Supervisor approval of the proposal

Updates concerning the proposal (if need be)

Second supervisor approval (if need be)

October-November (2018)

The initial layout of the actual research

Supervisor’s approval

Amendments on the initial draft (if need be)

Second supervisor’s consent (if necessary)

Final research draft

Last supervisor’s consent

Project submission

An all-inclusive Gantt chart will be created for the entire research on which even the minor details will be featured.

Conclusion:

The ever-rising employment of web paradigms for widespread applications creation is enabling entrant security dangers against the structures under laying those applications. There is a need for consideration for support mechanisms by the developers of web applications to ensure that the end users enjoy protected programming codes, coding practices shielded vulnerabilities together with availing development fabric for disposal of safe web applications into the masses. The discussion of the cross-site scripting intrusion in the research has revealed the threats it poses to both the website as well as the end user. However, with rightful investment, web-scripting assaults can be stopped with methods discussed above. Due to the criticality of data that goes through websites like government information, highly classified security information, health data, and other information deemed private, its eminent for web developers to reconsider their security strategies as far as web applications are concerned.

Bibliography:

Bisht, P. and Venkatakrishnan, V.N., 2008, July. XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 23-43). Springer, Berlin, Heidelberg.

Doupé, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C. and Vigna, G., 2013, November. deDacota: toward preventing server-side XSS via automatic code and data separation. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (pp. 1205-1216). ACM.

Gupta, S. and Gupta, B.B., 2017. Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. International Journal of System Assurance Engineering and Management, 8(1), pp.512-530.

Hox, J.J., Moerbeek, M. and Van de Schoot, R., 2017. Multilevel analysis: Techniques and applications. Routledge.

Kieyzun, A., Guo, P.J., Jayaraman, K. and Ernst, M.D., 2009, May. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering (pp. 199-209). IEEE Computer Society.

Kirda, E., Kruegel, C., Vigna, G. and Jovanovic, N., 2006, April. Noxes: a client-side solution for mitigating cross-site scripting attacks. In Proceedings of the 2006 ACM symposium on Applied computing (pp. 330-337). ACM.

Luttgens, J.T., Pepe, M. and Mandia, K., 2014. Incident response & computer forensics. McGraw-Hill Education Group.

Lewis, S., 2015. Qualitative inquiry and research design: Choosing among five approaches. Health promotion practice, 16(4), pp.473-475.

McNely, B., Spinuzzi, C. and Teston, C., 2015. Contemporary research methodologies in technical communication. Technical Communication Quarterly, 24(1), pp.1-13.

Panja, B., Gennarelli, T. and Meharia, P., 2015, February. Handling cross site scripting attacks using cache check to reduce webpage rendering time with elimination of sanitization and filtering in light weight mobile web browser. In Mobile and Secure Services (MOBISECSERV), 2015 First Conference on(pp. 1-7). IEEE.

Parameshwaran, I., Budianto, E., Shinde, S., Dang, H., Sadhu, A. and Saxena, P., 2015, August. DexterJS: robust testing platform for DOM-based XSS vulnerabilities. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (pp. 946-949). ACM.

Shulman, A. and Karlebach, G., Imperva Inc, 2015. System and method for preventing web frauds committed using client-scripting attacks. U.S. Patent 8,984,630.

Snehi, J. and Dhir, R., 2013. Web client and web server approaches to prevent xss attacks. International Journal of Computers & Technology, 4(2b1), pp.345-352.

Sonewar, P.A. and Mhetre, N.A., 2015, January. A novel approach for detection of SQL injection and cross site scripting attacks. In Pervasive Computing (ICPC), 2015 International Conference on (pp. 1-4). IEEE.

Takhar-Lail, A. and Ghorbani, A., 2015. Market Research Methodologies: Multi-Method and Qualitative.

Wassermann, G. and Su, Z., 2008, May. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 30th international conference on Software engineering (pp. 171-180). ACM.